Maybe I am understanding this wrong but could you not just check in the config what the search base is set to on the client side? What is the problem you are trying to solve?
yes, you're right. i can just take a look at ldap.conf but there's several places to look:
- debian/ubuntu uses /etc/ldap/ldap.conf - RHEL/CentOS uses /etc/openldap/ldap.conf - custom compilations can use any path. ex: /usr/local/ldap/ldap.conf - windows openldap uses... i don't really know :P
so what im trying to do is resolving configured base without knowing anything about the client.
for example, this command gives me the server even if i dont know anything about the conf:
ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host
im just a little bit surprised that i can't find any debuglevel that gives me the BASE
abosch
-----Original Message----- From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users- bounces@lists.fedoraproject.org] On Behalf Of Angel Bosch Mora Sent: 24 November 2010 09:20 To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] get base dn from ldapsearch
Maybe I am understanding this wrong but could you not just check in the config what the search base is set to on the client side? What is the problem you are trying to solve?
yes, you're right. i can just take a look at ldap.conf but there's several places to look:
- debian/ubuntu uses /etc/ldap/ldap.conf
- RHEL/CentOS uses /etc/openldap/ldap.conf
- custom compilations can use any path. ex: /usr/local/ldap/ldap.conf
- windows openldap uses... i don't really know :P
so what im trying to do is resolving configured base without knowing anything about the client.
for example, this command gives me the server even if i dont know anything about the conf:
ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host
im just a little bit surprised that i can't find any debuglevel that gives me the BASE
Hmmm, that is a really interesting problem. I could not find any solution to it either.
<rant> from the man page -d debuglevel Set the LDAP debugging level to debuglevel. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect.
that is just bloody useless, why do I have to google to find a sun man page that contains the actual possible debug levels. Why is it not part of the man page in Red Hat / CentOS ?!!?!?!?!
Lets get rid of man pages save some disk space and find everything with google, who reads man pages anyway. </rant>
Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
Oddly enough it looks like it comes out as part of the LDIF comment. If you skip the option to tell it to not output ldif comments you'll get your base:
$ ldapsearch -d1 -x "(uid=example)" 2>&1 | grep base
# base <dc=example,dc=com> (default) with scope subtree
On Wed, Nov 24, 2010 at 3:58 AM, Gerrard Geldenhuis < Gerrard.Geldenhuis@betfair.com> wrote:
-----Original Message----- From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users- bounces@lists.fedoraproject.org] On Behalf Of Angel Bosch Mora Sent: 24 November 2010 09:20 To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] get base dn from ldapsearch
Maybe I am understanding this wrong but could you not just check in the config what the search base is set to on the client side? What is the problem you are trying to solve?
yes, you're right. i can just take a look at ldap.conf but there's
several places
to look:
- debian/ubuntu uses /etc/ldap/ldap.conf
- RHEL/CentOS uses /etc/openldap/ldap.conf
- custom compilations can use any path. ex: /usr/local/ldap/ldap.conf
- windows openldap uses... i don't really know :P
so what im trying to do is resolving configured base without knowing anything about the client.
for example, this command gives me the server even if i dont know anything about the conf:
ldapsearch -d1 -x -LLL "(uid=example)" uid 2>&1 | grep ldap_connect_to_host
im just a little bit surprised that i can't find any debuglevel that
gives me the
BASE
Hmmm, that is a really interesting problem. I could not find any solution to it either.
<rant> from the man page -d debuglevel Set the LDAP debugging level to debuglevel. ldapsearch must be compiled with LDAP_DEBUG defined for this option to have any effect.
that is just bloody useless, why do I have to google to find a sun man page that contains the actual possible debug levels. Why is it not part of the man page in Red Hat / CentOS ?!!?!?!?!
Lets get rid of man pages save some disk space and find everything with google, who reads man pages anyway.
</rant>
Regards
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
----- Missatge original -----
Oddly enough it looks like it comes out as part of the LDIF comment. If you skip the option to tell it to not output ldif comments you'll get your base:
$ ldapsearch -d1 -x "(uid=example)" 2>&1 | grep base
# base <dc=example,dc=com> (default) with scope subtree
i don't get any result i my machine and im pretty sure i've my ldap.conf configured:
$ ldapsearch -d1 -x "(uid=example)" 2>&1 | grep base
# base <> with scope subtree
can this be a bug?
abosch
Hi...
Maybe a silly question but is there a tool/possibility to help in analyzing dirsrv log files (/opt/dirsrv/var/log/dirsrv/slapd-<name>/access)?
My LDAP Server is getting a lot of queries. But I am interested in filtering out the queries of a certain host to analyze them. This can be quite a pain. I first need to find its IP in the log (connection from x.x.x.x). Find the connection id left side of it and finally grep again the log with the connection id.
Has anyone done a script / tool for parsing the log and filter out certain connection sessions? This would aid a lot in analyzing the logs when one could isolate just certain connections.
How are you doing these things?
Thanks,
Roland
2011/5/17 Roland Schwingel Roland.Schwingel@onevision.com:
Maybe a silly question but is there a tool/possibility to help in analyzing dirsrv log files (/opt/dirsrv/var/log/dirsrv/slapd-<name>/access)?
See attachment. Probably needs some perldocs added.
Jeremy
On 05/17/2011 07:35 AM, Roland Schwingel wrote:
Hi...
Maybe a silly question but is there a tool/possibility to help in analyzing dirsrv log files (/opt/dirsrv/var/log/dirsrv/slapd-<name>/access)?
My LDAP Server is getting a lot of queries. But I am interested in filtering out the queries of a certain host to analyze them. This can be quite a pain. I first need to find its IP in the log (connection from x.x.x.x). Find the connection id left side of it and finally grep again the log with the connection id.
Has anyone done a script / tool for parsing the log and filter out certain connection sessions? This would aid a lot in analyzing the logs when one could isolate just certain connections.
How are you doing these things?
see /usr/bin/logconv.pl
Thanks,
Roland
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi...
I got a question on how to move administration servers.
In my network I do have at present 3 subnets that are managed by 389ds.
Lets call them Net-A, Net-B and Net-C. Each subnet hosts a replica of the ldap tree. All ldap/admin servers are registered to the admin server on Net-A.
Due to some network restructurings Net-A will become a more or less "private" networks. And I also will add 10 more networks (each will host a replica) to 389ds. They all should register to a new adminserver in Net-C.
So I need to move the central admin server from Net-A to Net-C. Is this possible while being in production? As I understand 389ds the adminservers are independant of the slapd processes doing the concrete ldap. For Net-A there will be a hole in the firewall to allow traffic to port 389,636 and 9830 to the other networks.
Any advice on how to accomplish the move of the adminserver de- and reregistration?
Thanks in advance for your help,
Roland
On 05/20/2011 03:04 AM, Roland Schwingel wrote:
Hi...
I got a question on how to move administration servers.
In my network I do have at present 3 subnets that are managed by 389ds.
Lets call them Net-A, Net-B and Net-C. Each subnet hosts a replica of the ldap tree. All ldap/admin servers are registered to the admin server on Net-A.
Due to some network restructurings Net-A will become a more or less "private" networks. And I also will add 10 more networks (each will host a replica) to 389ds. They all should register to a new adminserver in Net-C.
So I need to move the central admin server from Net-A to Net-C. Is this possible while being in production? As I understand 389ds the adminservers are independant of the slapd processes doing the concrete ldap. For Net-A there will be a hole in the firewall to allow traffic to port 389,636 and 9830 to the other networks.
Any advice on how to accomplish the move of the adminserver de- and reregistration?
So currently you have all of the directory servers registered with a directory server running in Net-A - this is the directory server that hosts the o=netscaperoot suffix used to register and configure those servers in the console. This is on a machine with hostname ldap.neta or something like that. Now you want instead to have a new server ldap.netc and have all of the directory servers registered with that server instead?
Thanks in advance for your help,
Roland
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi Rich...
Thanks for the reply,
So currently you have all of the directory servers registered with a directory server running in Net-A - this is the directory server that hosts the o=netscaperoot suffix used to register and configure those servers in the console. This is on a machine with hostname ldap.neta or something like that. Now you want instead to have a new server ldap.netc and have all of the directory servers registered with that server instead?
You are right.... When running setup-ds-admin.pl you have the option to register a new server to another already running server. This one is at present the one in net-a. Now I have to register all server to a server in net-c.
Thanks for your kind help,
Roland
On 05/20/2011 02:25 PM, Roland Schwingel wrote:
Hi Rich...
Thanks for the reply,
So currently you have all of the directory servers registered with a directory server running in Net-A - this is the directory server that hosts the o=netscaperoot suffix used to register and configure those servers in the console. This is on a machine with hostname ldap.neta or something like that. Now you want instead to have a new server ldap.netc and have all of the directory servers registered with that server instead?
You are right.... When running setup-ds-admin.pl you have the option to register a new server to another already running server. This one is at present the one in net-a. Now I have to register all server to a server in net-c.
Are you moving any of the servers other than the one that contains o=NetscapeRoot? If not, then you could try the following: 1) export the o=NetscapeRoot (NetscapeRoot) database from the server in net-a db2ldif -U -n NetscapeRoot -a /path/to/nsroot.ldif 2) use perl/sed/awk/whatever you are most comfortable with to change references to net-a to net-c in nsroot.ldif 3) Create a suffix o=NetscapeRoot and database NetscapeRoot in the server in net-c 4) Import (initialize) the new o=NetscapeRoot with the old server data
Then, you'll have to edit the /etc/dirsrv/admin-serv/adm.conf in all of your servers to change any references to net-a to net-c, then restart the admin server (restart-ds-admin)
Finally, you'll have to run ldapmodify on all of your servers (except the one that has the new o=NetscapeRoot) to do something like this:
ldapmodify -x -h hostname -D "cn=directory manager" -W <<EOF dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://hostname.of.new.server.in.net-c/o=NetscapeRoot
You'll have to restart the server in order for this change to take effect, but if you don't want to manage the server via the console, you don't have to restart it.
Thanks for your kind help,
Roland
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Thanks rich... I will give that a try as soon as possible....
Re: [389-users] Moving admin servers
Rich Megginson to: General discussion list for the 389 Directory server project. 20.05.2011 22:38
Sent by: 389-users-bounces@lists.fedoraproject.org Cc: Roland Schwingel Please respond to "General discussion list for the 389 Directory server project."
On 05/20/2011 02:25 PM, Roland Schwingel wrote:
Hi Rich...
Thanks for the reply,
So currently you have all of the directory servers registered with a directory server running in Net-A - this is the directory server that hosts the o=netscaperoot suffix used to register and configure those servers in the console. This is on a machine with hostname ldap.neta or something like that. Now you want instead to have a new server ldap.netc and have all of the directory servers registered with that server instead?
You are right.... When running setup-ds-admin.pl you have the option to register a new server to another already running server. This one is at present the one in net-a. Now I have to register all server to a server in net-c. Are you moving any of the servers other than the one that contains o=NetscapeRoot? If not, then you could try the following: 1) export the o=NetscapeRoot (NetscapeRoot) database from the server in net-a db2ldif -U -n NetscapeRoot -a /path/to/nsroot.ldif 2) use perl/sed/awk/whatever you are most comfortable with to change references to net-a to net-c in nsroot.ldif 3) Create a suffix o=NetscapeRoot and database NetscapeRoot in the server in net-c 4) Import (initialize) the new o=NetscapeRoot with the old server data
Then, you'll have to edit the /etc/dirsrv/admin-serv/adm.conf in all of your servers to change any references to net-a to net-c, then restart the admin server (restart-ds-admin)
Finally, you'll have to run ldapmodify on all of your servers (except the one that has the new o=NetscapeRoot) to do something like this:
ldapmodify -x -h hostname -D "cn=directory manager" -W <<EOF dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://hostname.of.new.server.in.net-c/o=NetscapeRoot
You'll have to restart the server in order for this change to take effect, but if you don't want to manage the server via the console, you don't have to restart it.
Thanks for your kind help,
Roland
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi...
Since yesterday I got some replication trouble.
My Scenario
server A < ----- server B <-----> server C -----> server D (dedicated Consumer) (multiple Master replica ID:1) (multiple Master replica ID:2) (Dedicated Consumer)
The arrows are depicting the replication directions. In that scenario everything is fine.
But I want to promote server D to a multiple Master replicating from/to server C.
On server D I enabled changelog and changed the Replica Role of userRoot to Multiple Master (now with replica id 3) I created a replication aggrement to server C.
When enabling that I see these error messages in error log on server D. At 08:51:53 I enabled the replication agreement from server D to server C:
[13/Jul/2011:08:49:41 +0200] - 389-Directory/1.2.5 B2010.120.1414 starting up [13/Jul/2011:08:49:41 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Jul/2011:08:49:41 +0200] - Listening on All Interfaces port 636 for LDAPS requests [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=mydomain,dc=com: 32 [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is going offline; disabling replication [13/Jul/2011:08:51:53 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Jul/2011:08:51:56 +0200] - import userRoot: Workers finished; cleaning up... [13/Jul/2011:08:51:57 +0200] - import userRoot: Workers cleaned up. [13/Jul/2011:08:51:57 +0200] - import userRoot: Indexing complete. Post-processing... [13/Jul/2011:08:51:57 +0200] - import userRoot: Flushing caches... [13/Jul/2011:08:51:57 +0200] - import userRoot: Closing files... [13/Jul/2011:08:51:59 +0200] - import userRoot: Import complete. Processed 772 entries in 5 seconds. (154.40 entries/sec) [13/Jul/2011:08:51:59 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is coming online; enabling replication [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Unable to aquire replica: the replica has the same Replica ID as this one. Replication is aborting. [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Incremental update failed and requires administrator action
It says that it has the same replica id, but this is not true. I assigned replica ID 3 to server-d and replica ID 2 to server-c
from dse.ldif of server-d: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t createTimestamp: 20110713065052Z modifyTimestamp: 20110713071007Z nsDS5ReplicaId: 3 nsState:: //8AAExAHU4AAAAAAAAAAAEAAAA= nsDS5ReplicaName: 6c5f7682-1dd211b2-abcfd815-dc8d0000 numSubordinates: 1
from dse.ldif if server-c: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 2 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20101105122639Z modifyTimestamp: 20110713073144Z nsState:: AgAAAMpJHU4AAAAAFgAAAAEAAAA= nsDS5ReplicaName: ee6ae602-1dd111b2-ae7bc446-6a0e0000 numSubordinates: 2
I already erased and recreated the server-d for a couple of times. Always with the same error. I created an empty instance of server-d set it to be a dedicated consumer. Created replication aggrement from server-c to server-d. Initiliazed consumer (server-d). On server-d I enabled than changelog and changed replication role to multiple master and assigned replica id 3. I when I create the replication aggreement from server-d to server-c I get this error.
What am I doing wrong? I did the same thing a while ago for server-b and server-c and there it worked without trouble. (server-b was initially the single master in my net before the other servers appeared).
Thanks for your help,
Roland
Hi....
Has no one any thoughts on this? I am currently really blocked on this. How do you promote a dedicated consumer to become a master server?
Thanks again for your help,
Roland
From: Roland Schwingel Roland.Schwingel@onevision.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: 13.07.2011 09:46 Subject: [389-users] Replication trouble when promoting dedicated Consumer to Multiple master Sent by: 389-users-bounces@lists.fedoraproject.org
Hi...
Since yesterday I got some replication trouble.
My Scenario
server A < ----- server B <-----> server C -----> server D (dedicated Consumer) (multiple Master replica ID:1) (multiple Master replica ID:2) (Dedicated Consumer)
The arrows are depicting the replication directions. In that scenario everything is fine.
But I want to promote server D to a multiple Master replicating from/to server C.
On server D I enabled changelog and changed the Replica Role of userRoot to Multiple Master (now with replica id 3) I created a replication aggrement to server C.
When enabling that I see these error messages in error log on server D. At 08:51:53 I enabled the replication agreement from server D to server C:
[13/Jul/2011:08:49:41 +0200] - 389-Directory/1.2.5 B2010.120.1414 starting up [13/Jul/2011:08:49:41 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Jul/2011:08:49:41 +0200] - Listening on All Interfaces port 636 for LDAPS requests [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=mydomain,dc=com: 32 [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is going offline; disabling replication [13/Jul/2011:08:51:53 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Jul/2011:08:51:56 +0200] - import userRoot: Workers finished; cleaning up... [13/Jul/2011:08:51:57 +0200] - import userRoot: Workers cleaned up. [13/Jul/2011:08:51:57 +0200] - import userRoot: Indexing complete. Post-processing... [13/Jul/2011:08:51:57 +0200] - import userRoot: Flushing caches... [13/Jul/2011:08:51:57 +0200] - import userRoot: Closing files... [13/Jul/2011:08:51:59 +0200] - import userRoot: Import complete. Processed 772 entries in 5 seconds. (154.40 entries/sec) [13/Jul/2011:08:51:59 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is coming online; enabling replication [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Unable to aquire replica: the replica has the same Replica ID as this one. Replication is aborting. [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Incremental update failed and requires administrator action
It says that it has the same replica id, but this is not true. I assigned replica ID 3 to server-d and replica ID 2 to server-c
from dse.ldif of server-d: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t createTimestamp: 20110713065052Z modifyTimestamp: 20110713071007Z nsDS5ReplicaId: 3 nsState:: //8AAExAHU4AAAAAAAAAAAEAAAA= nsDS5ReplicaName: 6c5f7682-1dd211b2-abcfd815-dc8d0000 numSubordinates: 1
from dse.ldif if server-c: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 2 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20101105122639Z modifyTimestamp: 20110713073144Z nsState:: AgAAAMpJHU4AAAAAFgAAAAEAAAA= nsDS5ReplicaName: ee6ae602-1dd111b2-ae7bc446-6a0e0000 numSubordinates: 2
I already erased and recreated the server-d for a couple of times. Always with the same error. I created an empty instance of server-d set it to be a dedicated consumer. Created replication aggrement from server-c to server-d. Initiliazed consumer (server-d). On server-d I enabled than changelog and changed replication role to multiple master and assigned replica id 3. I when I create the replication aggreement from server-d to server-c I get this error.
What am I doing wrong? I did the same thing a while ago for server-b and server-c and there it worked without trouble. (server-b was initially the single master in my net before the other servers appeared).
Thanks for your help,
Roland -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I'm far from being an expert but have you considered clearing the existing replication agreements and following the instructions for setting up multi-master from scratch? On Jul 13, 2011 5:44 PM, "Roland Schwingel" Roland.Schwingel@onevision.com wrote:
Hi...
Since yesterday I got some replication trouble.
My Scenario
server A < ----- server B <-----> server C -----> server D (dedicated Consumer) (multiple Master replica ID:1) (multiple Master replica ID:2) (Dedicated Consumer)
The arrows are depicting the replication directions. In that scenario everything is fine.
But I want to promote server D to a multiple Master replicating from/to server C.
On server D I enabled changelog and changed the Replica Role of userRoot to Multiple Master (now with replica id 3) I created a replication aggrement to server C.
When enabling that I see these error messages in error log on server D. At
08:51:53 I enabled the replication agreement from server D to server C:
[13/Jul/2011:08:49:41 +0200] - 389-Directory/1.2.5 B2010.120.1414 starting
up [13/Jul/2011:08:49:41 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Jul/2011:08:49:41 +0200] - Listening on All Interfaces port 636 for LDAPS requests [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=mydomain,dc=com: 32 [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is going offline; disabling replication [13/Jul/2011:08:51:53 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Jul/2011:08:51:56 +0200] - import userRoot: Workers finished; cleaning
up... [13/Jul/2011:08:51:57 +0200] - import userRoot: Workers cleaned up. [13/Jul/2011:08:51:57 +0200] - import userRoot: Indexing complete. Post-processing... [13/Jul/2011:08:51:57 +0200] - import userRoot: Flushing caches... [13/Jul/2011:08:51:57 +0200] - import userRoot: Closing files... [13/Jul/2011:08:51:59 +0200] - import userRoot: Import complete. Processed
772 entries in 5 seconds. (154.40 entries/sec) [13/Jul/2011:08:51:59 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is coming online; enabling replication [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Unable to aquire replica: the replica has the same Replica ID as this one. Replication is aborting. [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Incremental update failed and requires administrator action
It says that it has the same replica id, but this is not true. I assigned replica ID 3 to server-d and replica ID 2 to server-c
from dse.ldif of server-d: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t createTimestamp: 20110713065052Z modifyTimestamp: 20110713071007Z nsDS5ReplicaId: 3 nsState:: //8AAExAHU4AAAAAAAAAAAEAAAA= nsDS5ReplicaName: 6c5f7682-1dd211b2-abcfd815-dc8d0000 numSubordinates: 1
from dse.ldif if server-c: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 2 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20101105122639Z modifyTimestamp: 20110713073144Z nsState:: AgAAAMpJHU4AAAAAFgAAAAEAAAA= nsDS5ReplicaName: ee6ae602-1dd111b2-ae7bc446-6a0e0000 numSubordinates: 2
I already erased and recreated the server-d for a couple of times. Always with the same error. I created an empty instance of server-d set it to be a dedicated consumer.
Created replication aggrement from server-c to server-d. Initiliazed consumer (server-d). On server-d I enabled than changelog and changed replication role to multiple master and assigned replica id 3. I when I create the replication aggreement from server-d to server-c I get
this error.
What am I doing wrong? I did the same thing a while ago for server-b and server-c and there it worked without trouble. (server-b was initially the single master in my
net before the other servers appeared).
Thanks for your help,
Roland
Hi Penedo...
Thanks for your reply.... Yes.. I did that already a couple of times. I am always coming to the same error message...
Roland
From: Penedo penedo@gmail.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: 14.07.2011 13:08 Subject: Re: [389-users] Replication trouble when promoting dedicated Consumer to Multiple master Sent by: 389-users-bounces@lists.fedoraproject.org
I'm far from being an expert but have you considered clearing the existing replication agreements and following the instructions for setting up multi-master from scratch? On Jul 13, 2011 5:44 PM, "Roland Schwingel" < Roland.Schwingel@onevision.com> wrote:
Hi...
Since yesterday I got some replication trouble.
My Scenario
server A < ----- server B <-----> server C -----> server D (dedicated Consumer) (multiple Master replica ID:1) (multiple Master replica ID:2) (Dedicated Consumer)
The arrows are depicting the replication directions. In that scenario everything is fine.
But I want to promote server D to a multiple Master replicating from/to server C.
On server D I enabled changelog and changed the Replica Role of userRoot
to Multiple Master (now with replica id 3) I created a replication aggrement to server C.
When enabling that I see these error messages in error log on server D.
At
08:51:53 I enabled the replication agreement from server D to server C:
[13/Jul/2011:08:49:41 +0200] - 389-Directory/1.2.5 B2010.120.1414
starting
up [13/Jul/2011:08:49:41 +0200] - slapd started. Listening on All
Interfaces
port 389 for LDAP requests [13/Jul/2011:08:49:41 +0200] - Listening on All Interfaces port 636 for LDAPS requests [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=mydomain,dc=com: 32 [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is going
offline;
disabling replication [13/Jul/2011:08:51:53 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Jul/2011:08:51:56 +0200] - import userRoot: Workers finished;
cleaning
up... [13/Jul/2011:08:51:57 +0200] - import userRoot: Workers cleaned up. [13/Jul/2011:08:51:57 +0200] - import userRoot: Indexing complete. Post-processing... [13/Jul/2011:08:51:57 +0200] - import userRoot: Flushing caches... [13/Jul/2011:08:51:57 +0200] - import userRoot: Closing files... [13/Jul/2011:08:51:59 +0200] - import userRoot: Import complete.
Processed
772 entries in 5 seconds. (154.40 entries/sec) [13/Jul/2011:08:51:59 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is coming
online;
enabling replication [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Unable to aquire replica:
the replica has the same Replica ID as this one. Replication is
aborting.
[13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Incremental update failed
and requires administrator action
It says that it has the same replica id, but this is not true. I
assigned
replica ID 3 to server-d and replica ID 2 to server-c
from dse.ldif of server-d: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t createTimestamp: 20110713065052Z modifyTimestamp: 20110713071007Z nsDS5ReplicaId: 3 nsState:: //8AAExAHU4AAAAAAAAAAAEAAAA= nsDS5ReplicaName: 6c5f7682-1dd211b2-abcfd815-dc8d0000 numSubordinates: 1
from dse.ldif if server-c: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 2 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20101105122639Z modifyTimestamp: 20110713073144Z nsState:: AgAAAMpJHU4AAAAAFgAAAAEAAAA= nsDS5ReplicaName: ee6ae602-1dd111b2-ae7bc446-6a0e0000 numSubordinates: 2
I already erased and recreated the server-d for a couple of times.
Always
with the same error. I created an empty instance of server-d set it to be a dedicated
consumer.
Created replication aggrement from server-c to server-d. Initiliazed consumer (server-d). On
server-d I enabled than changelog and changed replication role to multiple master and assigned replica id 3. I when I create the replication aggreement from server-d to server-c I
get
this error.
What am I doing wrong? I did the same thing a while ago for server-b and
server-c and there it worked without trouble. (server-b was initially the single master in
my
net before the other servers appeared).
Thanks for your help,
Roland--
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Do a ldapsearch -b 'nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=mydomain,dc=com' -D <directory manager> -w <password> -s base objectclass=nstombstone
This gives you all the configured (history) of replication ids. The following is the output in my setup.
dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=base objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 4df7a107000000010000 nsds50ruv: {replica 1 ldap://yale:389} 4df7a396000000010000 4e19ad950000000100 00 nsds50ruv: {replica 3 ldap://norquay:389} 4df7a39d000000030000 4e1605650000000 30000 nsds50ruv: {replica 4 ldap://mustrum:389} 4df7a3a0000000040000 4dfb93650000000 40000 nsds50ruv: {replica 2 ldap://louise:389} 4df7a39a000000020000 4e171a0700000002 0000 o: base nsruvReplicaLastModified: {replica 1 ldap://yale:389} 00000000 nsruvReplicaLastModified: {replica 3 ldap://norquay:389} 00000000 nsruvReplicaLastModified: {replica 4 ldap://mustrum:389} 00000000 nsruvReplicaLastModified: {replica 2 ldap://louise:389} 00000000 /\ | replication-id
I am pretty sure you have somewhere there a duplicate of 3
-Reinhard
________________________________ From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Roland Schwingel Sent: Thursday, July 14, 2011 7:39 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Replication trouble when promoting dedicated Consumer to Multiple master
Hi Penedo...
Thanks for your reply.... Yes.. I did that already a couple of times. I am always coming to the same error message...
Roland
From: Penedo penedo@gmail.com To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: 14.07.2011 13:08 Subject: Re: [389-users] Replication trouble when promoting dedicated Consumer to Multiple master Sent by: 389-users-bounces@lists.fedoraproject.org ________________________________
I'm far from being an expert but have you considered clearing the existing replication agreements and following the instructions for setting up multi-master from scratch?
On Jul 13, 2011 5:44 PM, "Roland Schwingel" <Roland.Schwingel@onevision.commailto:Roland.Schwingel@onevision.com> wrote:
Hi...
Since yesterday I got some replication trouble.
My Scenario
server A < ----- server B <-----> server C -----> server D (dedicated Consumer) (multiple Master replica ID:1) (multiple Master replica ID:2) (Dedicated Consumer)
The arrows are depicting the replication directions. In that scenario everything is fine.
But I want to promote server D to a multiple Master replicating from/to server C.
On server D I enabled changelog and changed the Replica Role of userRoot to Multiple Master (now with replica id 3) I created a replication aggrement to server C.
When enabling that I see these error messages in error log on server D. At 08:51:53 I enabled the replication agreement from server D to server C:
[13/Jul/2011:08:49:41 +0200] - 389-Directory/1.2.5 B2010.120.1414 starting up [13/Jul/2011:08:49:41 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Jul/2011:08:49:41 +0200] - Listening on All Interfaces port 636 for LDAPS requests [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=mydomain,dc=com: 32 [13/Jul/2011:08:51:53 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is going offline; disabling replication [13/Jul/2011:08:51:53 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Jul/2011:08:51:56 +0200] - import userRoot: Workers finished; cleaning up... [13/Jul/2011:08:51:57 +0200] - import userRoot: Workers cleaned up. [13/Jul/2011:08:51:57 +0200] - import userRoot: Indexing complete. Post-processing... [13/Jul/2011:08:51:57 +0200] - import userRoot: Flushing caches... [13/Jul/2011:08:51:57 +0200] - import userRoot: Closing files... [13/Jul/2011:08:51:59 +0200] - import userRoot: Import complete. Processed 772 entries in 5 seconds. (154.40 entries/sec) [13/Jul/2011:08:51:59 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mydomain,dc=com is coming online; enabling replication [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Unable to aquire replica: the replica has the same Replica ID as this one. Replication is aborting. [13/Jul/2011:09:11:00 +0200] NSMMReplicationPlugin - agmt="cn=server-d_to_server-c" (server-c:389): Incremental update failed and requires administrator action
It says that it has the same replica id, but this is not true. I assigned replica ID 3 to server-d and replica ID 2 to server-c
from dse.ldif of server-d: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t createTimestamp: 20110713065052Z modifyTimestamp: 20110713071007Z nsDS5ReplicaId: 3 nsState:: //8AAExAHU4AAAAAAAAAAAEAAAA= nsDS5ReplicaName: 6c5f7682-1dd211b2-abcfd815-dc8d0000 numSubordinates: 1
from dse.ldif if server-c: dn: cn=replica,cn="dc=mydomain, dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=mydomain, dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 2 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=replication manager,cn=config cn: replica creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: cn=Multimaster Replication Plugin,cn=plugins,cn=config createTimestamp: 20101105122639Z modifyTimestamp: 20110713073144Z nsState:: AgAAAMpJHU4AAAAAFgAAAAEAAAA= nsDS5ReplicaName: ee6ae602-1dd111b2-ae7bc446-6a0e0000 numSubordinates: 2
I already erased and recreated the server-d for a couple of times. Always with the same error. I created an empty instance of server-d set it to be a dedicated consumer. Created replication aggrement from server-c to server-d. Initiliazed consumer (server-d). On server-d I enabled than changelog and changed replication role to multiple master and assigned replica id 3. I when I create the replication aggreement from server-d to server-c I get this error.
What am I doing wrong? I did the same thing a while ago for server-b and server-c and there it worked without trouble. (server-b was initially the single master in my net before the other servers appeared).
Thanks for your help,
Roland--
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi Reinhard,
Thanks for your reply!!
389-users-bounces@lists.fedoraproject.org wrote on 14.07.2011 16:25:10:
From: Reinhard Nappert rnappert@juniper.net To: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org Date: 14.07.2011 16:28 Subject: Re: [389-users] Replication trouble when promoting dedicated Consumer to Multiple master Sent by: 389-users-bounces@lists.fedoraproject.org
Do a ldapsearch -b 'nsuniqueid=ffffffff-ffffffff-ffffffff- ffffffff,dc=mydomain,dc=com' -D <directory manager> -w <password> -s base objectclass=nstombstone
This gives you all the configured (history) of replication ids. The following is the output in my setup.
dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,o=base objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 4df7a107000000010000 nsds50ruv: {replica 1 ldap://yale:389} 4df7a396000000010000
4e19ad950000000100
00 nsds50ruv: {replica 3 ldap://norquay:389} 4df7a39d000000030000
4e1605650000000
30000 nsds50ruv: {replica 4 ldap://mustrum:389} 4df7a3a0000000040000
4dfb93650000000
40000 nsds50ruv: {replica 2 ldap://louise:389} 4df7a39a000000020000
4e171a0700000002
0000 o: base nsruvReplicaLastModified: {replica 1 ldap://yale:389} 00000000 nsruvReplicaLastModified: {replica 3 ldap://norquay:389} 00000000 nsruvReplicaLastModified: {replica 4 ldap://mustrum:389} 00000000 nsruvReplicaLastModified: {replica 2 ldap://louise:389} 00000000 /\ | replication-id
I issued that command on my server Server C. I get the following results:
# extended LDIF # # LDAPv3 # base <nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=mydomain,dc=com> with scope baseObject # filter: objectclass=nstombstone # requesting: ALL #
# ffffffff-ffffffff-ffffffff-ffffffff, mydomain.com dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff, dc=mydomain,dc=com objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 4bf162c6000000010000 nsds50ruv: {replica 2 ldap://server-c.mydomain.com:389} 4cd3fa1e00000002 0000 4e1ef45b000000020000 nsds50ruv: {replica 3 ldap://server-d.mydomain.de:389} nsds50ruv: {replica 1 ldap://server-b.mydomain.de:389} 4bf16732000000010 000 4e1ffa3e000000010000 dc: mydomain nsruvReplicaLastModified: {replica 2 ldap://server-c.mydomain.com:389} 4 e1ef445 nsruvReplicaLastModified: {replica 3 ldap://server-d.mydomain.de:389} 00000000 nsruvReplicaLastModified: {replica 1 ldap://server-b.mydomain.de:389} 4e 1ffa26
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
When I look at it I see that replica id 3 is assigned to my server-d (which should get that replica id). I started over deleted my server-d assigned it replica id 4 but nothing changes.
I also cannot get rid of the informations for server-d in that nsuniqueid how can I do that?
Thanks,
Roland
389-users@lists.fedoraproject.org